Security News > 2020 > June > GnuTLS patches huge security hole that hung around for two years – worse than Heartbleed, says Google cryptoboffin
GnuTLS, a widely used open source library implementing Transport Layer Security, last week fixed a bug that had been hiding in the code for almost two years that made resumed TLS 1.3 sessions vulnerable to attack.
The flaw allowed GnuTLS servers to use session tickets issued during a previous secure TLS 1.3 session without accessing the function that generates secret keys, gnutls session ticket key generate().
The bug, introduced in GnuTLS 3.6.4, was fixed in GnuTLS 3.6.14.
Ayer has been critical of GnuTLS in the past, referring to it as a "Clownish" TLS implementation in a blog post about the expiration of Sectigo's AddTrust legacy root certificate, which affected GnuTLS. Others echoed his disdain for GnuTLS, with some arguing for its removal as a dependency.
"Never use GnuTLS," quipped Thomas H. Ptacek, a security researcher and founder of Matasano Security.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/06/10/gnutls_patches_security_hole/
Related news
- Google's got a hot cloud infosec startup, a new unified platform — and its eye on Microsoft's $20B+ security biz (source)
- Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products (source)
- Google Chrome to block admin-level browser launches for better security (source)